Directory Service: Event ID 1480 and 1393, replication halted due to low disk space

Standard

The information provided in event logs is often not too clear but it has definitely gotten better starting in W2K8. I recently encountered an issue where replication delays to certain DC were reported. I immediately looked at the repadmin  replication summary and noticed that my deltas that usually stayed around within an hour had jumped up to 13~ hours.

 

replsum-issues

 

The ‘destination DSA’ section gives you a clue about the DC that’s having issues pulling replicated changes in. I looked at the event logs on the said DC and filtered the DS logs around to 13 hours ago. I noticed event ID 1393, and 1480 sighting the issue with the low disk space and how it had paused the netlogon service. Luckily there was no “user authentication traffic” against this DC as it was a hub site DC with no user subnet tied to this site, otherwise the impact would have been bigger with users not being able to logon to their workstations. The lag on the replication on this instance was reported by an internal application portal that was not reflecting the changes that were made in AD. Nonetheless, it was an issue that had to be fixed.

 

event1393

 

event1480

 

A low disk space issue on a DC is serious issue anyway but in this instance, a FIM job had just run that had imported thousands of new objects incurring a slight NTDS size change. This is one of the reasons I don’t like to put NTDS and SYSVOL on the system partition. I did perform the clean up of some unneeded and temp files but the long term solution is to relocate the DB to a different drive/volume, http://technet.microsoft.com/en-us/library/cc782948%28WS.10%29.aspx.

 

Immediately after the replication was back to normal.

 

replsum-issues2

Exchange 2010 Setup and .Net Framework 3.5 SP1 Requirement

Standard

Starting with Exchange 2007, the good thing about the setup wizard is that it guides you about all the pre-requisites and provides the links from where you can download them from.

image

However, if you are installing Exchange 2010 on Windows Server 2008 (or R2) box, and if you follow the link provided by the wizard and download the general .Net Framework 3.5 from MS Downloads you are likely to get the error “You must use the Role Management Tool to install or configure Microsoft .Net Framework 3.5” upon installing it.

image

As the .Net Framework 3.5 is bundled in as a “feature” and you must add it from the Server Manager/Features snap-in (formerly add/remove programs). This should not be only pertinent to Exchange but would be applicable to all other apps that require .Net Framework 3.5)

image

Is there an Active Directory Visual Illustration/Diagram ?

Standard

A question was raised on ActiveDir, and I learned about an old TechNet Jigsaw on AD’s interworking.

ADjigsaw

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Along with that, there was a new Windows Server 2008 AD Feature Components which I received at Tech-Ed 2007 and it illustrates the new and improved AD pieces introduced with Windows Server 2008. This poster covers ADLDS, ADFS, ADRMS, and RODCs.

 

AD08features

And an additional poster on general new Windows Server 2008 Feature Components that covers TS, NAP, IIS 7.0, Virtualization, Server Core and BitLocker.

08features

Both of the above illustrations and very good quality large size posters (30x20in) and are good to hang in your office/cube. Printing them on regular printer may distort the quality, so you may try the plotter :). All three can be downloaded from the following links :

TechNet Magazine Active Directory Component Jigsaw Poster

Windows Server 2008 Component Posters (both)

P.S This is my first test post using WLW.

No RIDs for you (the RODC) !

Standard

Says the RID Master FSMO to a RODC. If you recall the RID Master’s sole job is to make sure that duplicate SIDs are not issued by domain controllers. Whenever a DC needs to create a SID, it takes the next available value from its own RID pool to create the SID with a unique value. The default pool size is 500 RIDs. When we run the RID pool test on a RODC, the test skips due to the DC being RODC and not having anything to do with the creation of the new objects.

dcdiag /v /test:ridmanager

08rodc-2009-07-29-19-34-231

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Here is how the test is supposed to report back with the remaining pool of the allocated RIDs.

Is there a GUI to manage AD Recycle Bin ?

Standard

Much has been said about the manageability of AD Recycle Bin in Windows Server 2008 R2 via the Microsoft’s intended way i.e via PoSH cmdlets. Though this option stays to be only enable-able via PowerShell, the ability to restore objects (the process of reanimation of objects in earlier ADs) has been extended to GUI by Overall Solutions Inc. The GUI tool is very simple to use and its available for free. Below I show you how to restore a deleted OU with objects inside via this tool. See previous post on how to enable the AD Recycle Bin feature in your Windows Server 2008 R2 forest.

We delete an OU called Chicago which contains a Global Group.

08dc1-2009-07-14-21-22-06

08dc1-2009-07-14-21-22-12

Launch the ADRecycleBin tool (be sure to launch it under administrator’s context)

08dc1-2009-07-14-21-23-33

Right click on the child object of a deleted tree and select all

08dc1-2009-07-14-21-23-46

Click on Restore Deleted Object on top right corner

08dc1-2009-07-14-21-24-06

And its simple as that. Lesson of the story, there is always a window for someone to step in and fill the void. I had earlier posted how Server Core that was intended to be managed via CLI only had made a  U-TURN in R2 release of Windows Server 2008. Personally, I wouldn’t mind having to manage this feature solely from PowerShell, but its nice to have the GUI option available.

Download the tool here.

How do I enable the Active Directory Recycle Bin in Windows Server 2008 R2 ?

Standard

Launch the PowerShell under Administrator’s account context, and type this cmdlet.

Enable-ADOptionalFeature -Identity ‘CN=Recylcle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com

Read and understand the warning of this action’s irreversebility, and hit “Y” for yes to continue.

08dc1-2009-06-29-22-25-40

In following screenshot I show you an error not neccesarily applicable to you, the cmdlet complained about not being able to verify the FSMO ownership role. The reason for this was the fact that in my VM Lab environment I had shut down another DC for maintenance and it had not been replicated or talked to.

08dc1-2009-06-30-21-18-28

As I brought that downed DC back online, forced the replication, I was able to proceed. You can then confirm with this cmdlet.

Get-ADOptionalFeature ‘Recycle Bin Feature’

08dc1-2009-06-30-22-06-34

Here is a great post on this hot feaure of Windows Server 2008 R2.

http://msmvps.com/blogs/ad/archive/2009/03/31/taking-out-the-trash.aspx

How do I perform an offline domain join in Windows Server 2008 R2 ?

Standard

As briefly discussed before, a feature to offline domain join machines is available in Windows Server 2008 R2. The utility is called “djoin.exe” which is used to perform this task. Here is an official blurb on what the offline domain join is what it would be used for and then I will show you how to perform this simple task.

“Offline domain join is a new process that computers that run Windows® 7 or Windows Server® 2008 R2 can use to join a domain without contacting a domain controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network. For example, an organization might need to deploy many virtual machines in a datacenter. Offline domain join makes it possible for the virtual machines to be joined to the domain when they initially start after the installation of the operating system. No additional restart is required to complete the domain join. This can significantly reduce the overall time required for wide-scale virtual machine deployments.

A domain join establishes a trust relationship between a computer running a Windows operating system and an Active Directory® domain. This operation requires state changes to Active Directory Domain Services (AD DS) and state changes on the computer that is joining the domain. To complete a domain join in the past using previous Windows® operating systems, the computer that joined the domain had to be running and it had to have network connectivity to contact a domain controller”

I created the metadata as known as “blob” on one of my DC for a Server named 2008R2RC2 that I wanted to join to domain offline (i.e the target machine not connected to the network) and saved it to a txt file called computer_prov, then as usual I run the help on the utility to learn what syntax it has available. Here is the command syntax I ran to provision the computer account and to create the metadata.

djoin /provision /domain techevan.lab /machine 2008R2RC2 /savefile c:computer_prov.txt

2008r2rc-2009-06-01-21-16-35

I then jumped on the target machine, copy the txt file over and try to run needed syntax with the djoin utility

djoin /requestODJ /loadfile c:computer_prov.txt /windowspath %SystemRoot% /localos

I get an error that I am not running the Shell with elevated privileges, I get out and get back in with the “run as administrator” option, and get the same error.

2008r2rc2-2009-06-01-21-20-45

Perhaps its a bug in RC release, I then tried the same syntax from the conventional CMD line window and was successful.

2008r2rc2-2009-06-01-21-21-48

I then restarted the target computer and machine had been joined to the domain.

For more information please see, http://technet.microsoft.com/en-us/library/dd392267(WS.10).aspx

Active Directory Best Practices Analyzer (ADBPA)

Standard

A couple years back someone made a recommendation on Microsoft Exchange Forums that equivalent to Exchange BPA, it would be nice for AD Admins to have an AD Best Practices Analyzer, this was passed on to the AD Team. Though I am not if this particular thread was the driver behind it, but starting in Windows Server 2008 R2, AD Admin will have the BPA.

“Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations. You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.”

ADBPA is a great idea, it gives you a quick glance into the new DC you have just stood up. It points you toward setting the NTP settings correctly if the DC is also PDC. It lets you know if your OUs are not set to be protected from accidental deletion. It also reminds you that certain directory partitions (NC) have not been backed up since a certain of period time. You can access the ADBPA from the Server Manager -> ADDS.

2008r2rc-2009-05-19-22-11-44

You may notice that if you are running the Windows Server 2008 Beta version, there seems to be a bug with ADBPA rule. One of the non-compliant complain is about the DC’s inability to reach a DNS server to retrieve DC specific records even when the DC itself is also the DNS and the pertaining records are existing. This behavior has been corrected in the RC version.

The compliant section also shows where your DC meets the expected configuration, such as when it advertises itself as a DC in its local site. One downside I see with ADBPA is that it cannot be self-launched into its separate MMC. Or unlike the Exchange BPA, it is only accessible in a small window from within the Server Manager. So there if is large number of non-compliant/compliant messages, the browsing ability is not that great.

2008r2rc-2009-05-19-22-11-49

How does ADBPA gather this data ?

“When you run the AD DS BPA scan on a domain controller, the BPA engine invokes the AD DS BPA Windows PowerShell script that collects configuration data from the AD DS environment that this domain controller belongs to. The AD DS BPA Windows PowerShell script then saves the collected AD DS configuration data to an XML document. The BPA run-time engine validates this XML document against the XML schema.”

For more information on ADBPA. See this.

What’s the Schema version of Windows Server 2008 R2 ?

Standard

It is version 47 in RC and it may very well change when R2 gets RTM. You can check the objectVersion attribute of your current forest on the Schema Naming Context (NC) via ADSIedit.msc.

2008r2rc-2009-05-14-21-14-03

Here are some older Schema versions.

13=Win2k
30=2003
31=2003R2
44=2008

Here is more detail of schema changes in Windows Server 2008 R2 RC.

http://technet.microsoft.com/en-us/library/dd378828(WS.10).aspx

Creating and applying a PSO with QADPasswordSettingsObject cmdlets is a snap

Standard

Creating an additional Password Policy (known as Password Settings Object) in Windows Server 2008 is very easy with QAD Cmdlets. Create a PSO with New-QADPasswordSettingsObject for example as shown below,

[PS] C:\Windows\System32>New-QADPasswordSettingsObject -name "Traders-Password-Policy" `
>> -passwordhistorylength 9 `
>> -passwordcomplexityenabled $true `
>> -minimumpasswordlength 7 `
>> -minimumpasswordage 1 `
>> -maximumpasswordage 15
>>
...

Name Type DN
---- ---- --
Traders-Password-Policy msDS-Passwor... CN=Traders-Password-Policy,CN=Password Settings Container,CN=System,D...

To check what other password’s attributes can be defined, see help for New-QADPasswordSettingsObject. The -appliesto parameter lets you define the PSO for a Group or individual user as well from right within the cmdlet shown above, but you can also do this.

[PS] C:\Windows\System32>Add-QADPasswordSettingsObjectAppliesTo 'traders-password-policy' -AppliesTo joe.blow

Name Type DN
---- ---- --
Joe Blow user CN=Joe Blow,OU=Users,OU=Chicago,DC=techevan,DC=lab

Unfortunately, there is no Set-QADPasswordSettingsObject cmdlet yet that lets you modify an existing PSO. You can use ADSIEDIT.msc to do that. Launch ADSIEDIT, and go to \domain node\System\Password Settings Container. Find the relevant PSO and go to its properties and make your modifications.

If you log on as the user who we just applied this PSO to in our above example, you will be notified that your password expires in 14 days. Its a great feature in Windows 7.

For more information see these links :

http://technet.microsoft.com/en-us/library/cc753481.aspx#BKMK_2

http://windowsitpro.com/article/articleid/99929/use-powershell-to-manage-fine-grained-password-policies-in-windows-server-2008.html